Why that email from your boss could be a scam waiting to happen

Impersonation fraud is on the rise, and SMBs lose an average of $35,000 to these attacks, according to Lloyds Bank.

How the Department of Homeland Security is cracking down on phishingFederal domain adoption of DMARC increased 38 percent in a 30 day period, but is it enough to secure government agencies from email fraud? Agari founder Patrick Peterson explains how the system works.

Double check that email from your boss—it could be a scam, according to a recent report from Get Safe Online and Lloyds Bank.

Impersonation fraud—also known as Business Email Compromise (BEC)—is on the rise, as criminals gain access to a business email account and pretend to be the account owner in order to defraud the company and its employees, customers, or partners.

One in 12 businesses have fallen victim to impersonation fraud, the report found, and there has been a 58% rise in this type of crime this year. However, the data is based only on reported fraud cases, the report noted, so the true scale of the problem is likely much larger.

SMBs are particularly at risk, as those in the UK lose an average of £27,000 (about $35,160) to fraudsters, according to Lloyds Bank data. One in five victims (20%) are forced to fire employees after such an attack due to the financial impact, the report stated.

"The rise of impersonation fraud is a very concerning issue for small and medium-sized businesses," Gareth Oakley, managing director of business banking at Lloyds Bank, said in a press release. "We know that falling victim to these types of scams can be serious as the impact extends beyond just the financial implications."

Part of the problem is a lack of cybersecurity training for employees, the report found. Some 37% of employees said they don't know what to look out for when checking an email for fraud, or they don't have any security precautions in place to combat it.

Fear of punishment also keeps employees from reporting cybersecurity mistakes, the report found: One in 20 employee victims of impersonation fraud said they were so ashamed that they hid their mistake from their team. However, hiding an issue like this likely causes further problems, the report noted. If the systems have been compromised, the criminals may be able to access other critical information, or make new payment requests, increasing losses.

More than half of employees surveyed said they have seen scammers impersonating their boss, and half also said they have experienced fraudsters posing as suppliers, with invoice fraud becoming another popular scam, the report found.

These findings highlight the fact that email is not always a secure method of business communication. A recent Barracuda report on BEC offered the following recommendations to keep your company safe from these attacks:

Prohibit wire transfers from going out without an in-person conversation or phone call. Even with a phone call, take caution if the only contact information is that included in the potentially fraudulent email.

Take caution with emails from CEO accounts, as those professionals are most likely to be impersonated. If the CEO makes a request that seems unusual, the user should confirm its legitimacy before taking action.

Implement a training program to teach employees how to identify a BEC attack.

Deploy an email protection system to automatically stop spear phishing and cyberfraud attacks that can lead to a successful BEC scam.

The big takeaways for tech leaders:

One in 12 businesses have fallen victim to impersonation fraud. — Get Safe Online and Lloyds Bank, 2018

SMBs in the UK lose an average of £27,000 to fraudsters. — Get Safe Online and Lloyds Bank, 2018

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays